Backport of Fix policy lookup to allow for slashes into release/1.16.x (#18372)

* backport of commit 1a9cded960965d615a3a2146a4fef656839b1e34 * backport of commit cfec746d8b2d0b47b4aa66c951defa135f8791de * backport of commit 8a9db4cffc557641f9209770c6134086f25322af * backport of commit ac13bf16d6b5f853c26003cf088ff03988d8e235 --------- Co-authored-by: Jeremy Jacobson <jeremy.jacobson@hashicorp.com>
2023-08-03 16:43:45 -04:00 · 2023-08-03 16:43:45 -04:00 · 44ef42b4c2
parent d1a52f31a2
commit 44ef42b4c2
3 changed files with 100 additions and 2 deletions
--- a/agent/acl_endpoint.go
+++ b/agent/acl_endpoint.go
@ -6,6 +6,7 @@ package agent
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"

 	"github.com/hashicorp/consul/acl"
@ -145,6 +146,12 @@ func (s *HTTPHandlers) ACLPolicyCRUD(resp http.ResponseWriter, req *http.Request
 }

 func (s *HTTPHandlers) ACLPolicyRead(resp http.ResponseWriter, req *http.Request, policyID, policyName string) (interface{}, error) {
+	// policy name needs to be unescaped in case there were `/` characters
+	policyName, err := url.QueryUnescape(policyName)
+	if err != nil {
+		return nil, err
+	}
+
 	args := structs.ACLPolicyGetRequest{
 		Datacenter: s.agent.config.Datacenter,
 		PolicyID:   policyID,
--- a/command/acl/acl_helpers.go
+++ b/command/acl/acl_helpers.go
@ -45,9 +45,17 @@ func GetTokenAccessorIDFromPartial(client *api.Client, partialAccessorID string)
 }

 func GetPolicyIDFromPartial(client *api.Client, partialID string) (string, error) {
-	if partialID == "global-management" {
-		return structs.ACLPolicyGlobalManagementID, nil
+	// try the builtin policies (by name) first
+	for _, policy := range structs.ACLBuiltinPolicies {
+		if partialID == policy.Name {
+			return policy.ID, nil
+		}
 	}
+
+	if policy, ok := structs.ACLBuiltinPolicies[partialID]; ok {
+		return policy.ID, nil
+	}
+
 	// The full UUID string was given
 	if len(partialID) == 36 {
 		return partialID, nil
--- a/command/acl/acl_test.go
+++ b/command/acl/acl_test.go
@ -0,0 +1,83 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package acl
+
+import (
+	"fmt"
+	"io"
+	"testing"
+
+	"github.com/hashicorp/consul/agent"
+	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/testrpc"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_GetPolicyIDByName_Builtins(t *testing.T) {
+	t.Parallel()
+
+	a := agent.StartTestAgent(t,
+		agent.TestAgent{
+			LogOutput: io.Discard,
+			HCL: `
+				primary_datacenter = "dc1"
+				acl {
+					enabled = true
+					tokens {
+						initial_management = "root"
+					}
+				}
+			`,
+		},
+	)
+
+	defer a.Shutdown()
+	testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("root"))
+
+	client := a.Client()
+	client.AddHeader("X-Consul-Token", "root")
+
+	for _, policy := range structs.ACLBuiltinPolicies {
+		name := fmt.Sprintf("%s policy", policy.Name)
+		t.Run(name, func(t *testing.T) {
+			id, err := GetPolicyIDByName(client, policy.Name)
+			require.NoError(t, err)
+			require.Equal(t, policy.ID, id)
+		})
+	}
+}
+
+func Test_GetPolicyIDFromPartial_Builtins(t *testing.T) {
+	t.Parallel()
+
+	a := agent.StartTestAgent(t,
+		agent.TestAgent{
+			LogOutput: io.Discard,
+			HCL: `
+				primary_datacenter = "dc1"
+				acl {
+					enabled = true
+					tokens {
+						initial_management = "root"
+					}
+				}
+			`,
+		},
+	)
+
+	defer a.Shutdown()
+	testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("root"))
+
+	client := a.Client()
+	client.AddHeader("X-Consul-Token", "root")
+
+	for _, policy := range structs.ACLBuiltinPolicies {
+		name := fmt.Sprintf("%s policy", policy.Name)
+		t.Run(name, func(t *testing.T) {
+			id, err := GetPolicyIDFromPartial(client, policy.Name)
+			require.NoError(t, err)
+			require.Equal(t, policy.ID, id)
+		})
+	}
+}